1scponly(8)                BSD System Manager's Manual               scponly(8)
2

NAME

4     scponly
5

SYNOPSIS

7     scponly — limited shell for secure file transfers
8

DESCRIPTION

10     scponly is an alternative "shell" (of sorts) for system administrators
11     who would like to provide access to remote users to both read and write
12     local files without providing any remote execution privileges.  Function‐
13     ally, it is best described as a wrapper to the trusted suite of ssh
14     applications.
15
16     A typical usage of scponly is in creating a semi-public account not
17     unlike the concept of anonymous login for ftp.  This allows an adminis‐
18     trator to share files in the same way an anonymous ftp setup would, only
19     employing all the protection that ssh provides.  This is especially sig‐
20     nificant if you consider that ftp authentications traverse public net‐
21     works in a plaintext format.
22
23     Instead of just a single anonymous user, scponly supports configuring
24     potentially many users, each of which could be set up to provide access
25     to distinct directory trees.  Aside from the installation details, each
26     of these users would have their default shell in /etc/passwd set to
27     "/usr/bin/scponly" (or wherever you choose to install it).  This would
28     mean users with this shell can neither login interactively or execute
29     commands remotely.  They can however, scp files in and out, governed by
30     the usual Unixish file permissions.
31

FEATURES

33     ·   Logging: scponly logs time, client IP address, username, and the
34         actual request to syslog.
35
36     ·   chroot: scponly can chroot to the user's home directory (or any other
37         directory the user has permissions for), disallowing access to the
38         rest of the filesystem.
39
40     ·   sftp compatibility:  My testing of sftp against an scponly user
41         worked great.  This is probably the cleanest and most usable way for
42         an scponly user to access files.
43
44     ·   Security checks:  root login is disallowed (though root should never
45         be configured to be using scponly as the default shell.)
46
47     ·   WinSCP 2.0 compatibility: scponly can be compiled in WinSCP compati‐
48         bility mode that will permit a "semi-interactive" shell that WinSCP
49         can use.
50
51     ·   gftp compatibility: scponly is compatible with gftp if you set "use
52         ssh2 sftp subsys" in your gftp options.
53
54     scponly doesn't do anything to manage read/write permissions.  The ssh
55     applications already do that just fine.  If you use scponly, be aware
56     that good old Unix-style file permissions are still doing the work of
57     protecting your files.
58

NOTES

60     ·   As recent as June 26, 2002, vulnerabilities have been discovered in
61         OpenSSH.  There is also a SSH1 protocol vulnerability.  If you're
62         going to use scponly , be aware it is no more secure than the ssh
63         installation it runs on.
64
65     ·   I've since discovered that ssh.com's commercial ssh offering supports
66         BOTH "dummy users" as well as functionality paralleling scponly.  I
67         have not been able to find any notes on these features, but I did
68         read that they exist.  I will make a point to include more informa‐
69         tion later.  It appears that OpenSSH does not yet support these fea‐
70         tures.  At this time, I have no plans to end-of-life scponly, though
71         ultimately, I recognize that scponly should eventually become just a
72         feature of whichever sshd you may run.
73

FILES

75     /usr/bin/scponly                  The default location for the shell
76                                       itself.
77     /usr/sbin/scponlyc                The default location for the chrooted
78                                       version of scponly
79     /etc/shells                       To be a proper shell, it has to be
80                                       included here.
81

SEE ALSO

83     chroot(2), ssh(1), scp(1), sftp(1), shells(5), sshd(8).
84

AUTHORS

86     Joe Boyle <joe@sublimation.org>.
87

LEGALITIES

89     Copyright (C) 2001, 2002, 2003 Joe Boyle <joe@sublimation.org>.
90
91     Redistribution and use in source and binary forms, with or without modi‐
92     fication, are permitted provided that the following conditions are met:
93
94     1. Redistributions of source code must retain the above copyright notice,
95     this list of conditions and the following disclaimer.
96
97     2. Redistributions in binary form must reproduce the above copyright
98     notice, this list of conditions and the following disclaimer in the docu‐
99     mentation and/or other materials provided with the distribution.
100
101     THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
102     IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
103     OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
104     IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDEN‐
105     TAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
106     LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
107     DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
108     THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
109     (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
110     THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
111

BUGS

113     Versions prior to 2.4 have a vulnerability wherein the .ssh/environment
114     file can be used to override $PATH and $LD_LIBRARY_PATH vars, compromis‐
115     ing the shell.
116
117                                 Sept 03, 2002
Impressum